All of these are good ideas, the reCAPTCHA and honey pot ideas especially. Also, if you want, you can get the Ninja Firewall which is used a lot with Wordpress, they have a website version you can install with standard and Pro features, which will limit the number of logins and monitor IP activity. You just create a directory folder to install the php scripts into, name the folder whatever you want and follow the install instructions, I have a post here somewhere concerning installation configuration since there are three ways to do so depending upon your host configuration. When the firewall is on, it will not allow you to click on the Settings module in the Studio, hence if you need to use your Settings you turn off Ninja, or if you have the Premium license, you whitelist you IP so that you do not have to turn it off. It prevents people from accessing the Settings, and can stop multiple login attempts, and perform other security functions.

It is similar to ModSecurity when when a host has a ModSecurity user dashboard installed in the Cpanel features. However, Ninja is placed inside UNA. . This ads another layer to your site from within, after the htaccess settings layer.

One more thing, there is an htaccess file list of nearly 1000 bad bots you can search for online, and add its script to your htaccess file in your installation, which will reduce the number of bots that can access your site. And you can add more banned bots to it, by looking at other bad bots listed found on the internet. Furthermore, your host should be able to provide a list of countries you can ban from accessing your site. The Premium Ninja Firewall also, allows you to select country IP addresses to ban. The list of banned country IPs are added to the htaccess file, hence, you can copy and use that list along with the banned bad bots list, and use the htaccess on other websites you have such as Wordpress ect.

You might note that large numbers of nefarious actors in terms of geography, come to us from certain regions of the world. Of course there are bad actors scattered everywhere. You can cut down the numbers of them by banning entire countries. Furthermore, revenue wise providing services to every country is not wise, since you may have limited disc space, and some countries are not going to financially support your advertising you set up for revenue.

I know that some bots are scanning my installation looking for directories associated with WordPress, testing my UNA site to see if it is a WordPress based site. This can be used to set up honey pot traps in terms of fake directories, with some WordPress scripts with fake account and database information, including a fake wp-admin.php page. Fake directories with a 404 redirect to a 404 page, can fool some people into thinking they found the directories they want to exploit. Also, some bots search to see if you are using an Xampp installation of Apache and PHP, and attempt to call up the phpMyAdmin url to test for an Xampp server. You see some strange and interesting things when you view your ModSecurity or Ninja Firewall dashboards.